I have not done this with Tomcat 9 / Java 11 or CAS 6.x, but it seems to me you need to fix this:
07-Nov-2019 05:57:51.789 WARNING [main] com.hazelcast.instance.HazelcastInstanceFactory.null Hazelcast is starting in a Java modular environment (Java 9 and newer) but without proper access to required Java packages. Use additional Java arguments to provide Hazelcast access to Java internal API. The internal API access is used to get the best performance results. Arguments to be used: --add-modules java.se --add-exports java.base/jdk.internal.ref=ALL-UNNAMED --add-opens java.base/java.lang=ALL-UNNAMED --add-opens java.base/java.nio=ALL-UNNAMED --add-opens java.base/sun.nio.ch=ALL-UNNAMED --add-opens java.management/sun.management=ALL-UNNAMED --add-opens jdk.management/com.sun.management.internal=ALL-UNNAMED Also, are you sure the port 5701 is open in the firewall on both hosts? If it's not, the Hazelcasts can't talk to each other. Are the host names you're using to configure the Hazelcast members the actual names of the hosts that resolve to their direct IP addresses? Or do they resolve to the load balancer? You want them talking directly to each other, not through the load balancer (it's an entirely "back end" conversation that doesn't involve the client. And see Andy's suggestions, as well. --Dave -- DAVID A. CURRY, CISSP *DIRECTOR • INFORMATION SECURITY & PRIVACY* THE NEW SCHOOL • INFORMATION TECHNOLOGY 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 +1 646 909-4728 • david.cu...@newschool.edu On Thu, Nov 7, 2019 at 6:40 AM M.Pedis <muratpe...@gmail.com> wrote: > Hi Dave , > > Thanks for your reply . I have tested if it works or not with as you > mentioned before , but it didnt work. Also i have newly errors about other > sites . Briefly explain my env. ; > > - I have two CAS -- casuno.example.edu.tr and casdos.example.edu.tr and > one virtual ip behind netscaler LB - casnlb.xxxxx.edu.tr ( they have > proper DNS A records , they are all in same subnet/vlan ,their ufw has > disabled -- their OS Ubuntu 1804 ) ; > > - Both they have openjdk 11.0.4 2019-07-16 and tomcat > 9.0.26 , with https: - ssl 8443 and http : 8080 > - Both they have ; nginx ; i use them as reverse proxy ; > casuno.example.edu.tr:8443 redirects https://casnlb.example.edu.tr ( > casnlb has virtual ip behind netscaler LB , and roundrobin tcp 443 - ) > - Both they have ; cas-overlay--- build.gradle -- > - compile "org.apereo.cas:cas-server-support-ldap:${casServerVersion}" > - compile > > "org.apereo.cas:cas-server-support-json-service-registry:${casServerVersion}" > - compile > > "org.apereo.cas:cas-server-support-hazelcast-ticket-registry:${casServerVersion} > - Both they have ; cas-management-overlay--- build.gradle -- ( > default ) > > > *Below my cas.properties ; ( differences between are just crypto keys ! ) * > > # > cas.server.name:https://casnlb.xxxx.edu.tr > server.prefix=${server.name}/cas > logging.config: file:/etc/cas/config/log4j2.xml > cas.authn.accept.users= > > ##########################################TGC-Secure########################################################################### > cas.tgc.secure:true > cas.tgc.crypto.encryption.key:MXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXs > > cas.tgc.crypto.signing.key:BXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXQ > cas.webflow.crypto.encryption.key:jXXXXXXXXXXXXXXXXXXXXXXXX== > > cas.webflow.crypto.signing.key:MXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXA > > ##########################################LDAP################################################################################# > cas.authn.ldap[0].type=AUTHENTICATED > > cas.authn.ldap[0].principalAttributeList=cn,givenName,userPrincipalName,description > #cas.authn.ldap[0].bindDn=cn=Users,DC=example,DC=edu,DC=tr > cas.authn.ldap[0].ldapUrl=ldap://adc.example.edu.tr:389 > #cas.authn.ldap[0].searchFilter=cn={user} > cas.authn.ldap[0].searchFilter=(userPrincipalName={user}) > cas.authn.ldap[0].bindDn=cn=CAS ldap,cn=users,dc=xxxx,dc=edu,dc=tr > cas.authn.ldap[0].bindCredential=HXXXXXXXXHHH > cas.authn.ldap[0].baseDn=OU=Users,DC=xxxxxxxxx,DC=edu,DC=tr > cas.authn.ldap[0].subtreeSearch=true > cas.authn.ldap[0].useSsl=false > > ##########################################Services############################################################################## > cas.serviceRegistry.json.location=file:/etc/cas/services > > ##########################################Hazelcast############################################################################# > cas.ticket.registry.hazelcast.cluster.members: > casuno.xxxxx.edu.tr,casdos.xxxxx.edu.tr > cas.ticket.registry.hazelcast.cluster.asyncBackupCount: 1 > cas.ticket.registry.hazelcast.cluster.backupCount: 0 > cas.ticket.registry.hazelcast.cluster.port: 5701 > cas.ticket.registry.hazelcast.cluster.portAutoIncrement:false > cas.ticket.registry.hazelcast.crypto.encryption.key: > KXxxXXXXXXXXXXXXXXXXXx== > cas.ticket.registry.hazelcast.crypto.signing.key: > oXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXxxxxxxxxxxxxXXXxfSkw > cas.ticket.registry.hazelcast.crypto.enabled: true > > *Below management.properties; ( both same , casuno and casdos ) * > > cas.server.name=https://casnlb.xxxx.edu.tr > cas.server.prefix=${cas.server.name}:/cas > > mgmt.serverName=https://casnlb.xxxxx.edu.tr/cas-management > mgmt.adminRoles[0]=ROLE_ADMIN > mgmt.userPropertiesFile=file:/etc/cas/config/users.json > > logging.config=file:/etc/cas/config/log4j2-management.xml > > *Below cas/services --- cas-management web app json --- ( both same casuno > and casdos , json names are different , their id s are different ) * > > { > "@class" : "org.apereo.cas.services.RegexRegisteredService", > "serviceId" : "^https://casnlb.xxxxx.edu.tr/cas-management/*";, > "name" : "CAS Services Management", > "id" : xxxxxxxxxxxxxxx, > "description" : "CAS Services Management Webapp", > "evaluationOrder" : 10 > } > > > > ---------------------------------------------------------------------------- > > > 1. Start an incognito/private mode browser so there are no cookies ( > Done ) > 2. Log in to Application 1 through CAS (Done ) > 3. Check the CAS logs to figure out which server handled my login ( > -- casuno has grab/handle request and i successfully login via my domain > account ... https://casuno.xxx.edu.tr/cas --- login successfull ) > 4. Shut that CAS server down (Done) > 5. Go back to the browser and access another CAS-protected service -- > if it lets me in without username/password then Hazelcast is at least > nominally working; if I get prompted again, then something is wrong > > > First Error Log ; ( both cas server have same ) > > 07-Nov-2019 05:57:51.789 WARNING [main] > com.hazelcast.instance.HazelcastInstanceFactory.null Hazelcast is starting > in a Java modular environment (Java 9 and newer) but without proper access > to required Java packages. Use additional Java arguments to provide > Hazelcast access to Java internal API. The internal API access is used to > get the best performance results. Arguments to be used: > --add-modules java.se --add-exports > java.base/jdk.internal.ref=ALL-UNNAMED --add-opens > java.base/java.lang=ALL-UNNAMED --add-opens java.base/java.nio=ALL-UNNAMED > --add-opens java.base/sun.nio.ch=ALL-UNNAMED --add-opens > java.management/sun.management=ALL-UNNAMED --add-opens > jdk.management/com.sun.management.internal=ALL-UNNAMED > 2019-11-07 05:57:51,879 WARN [com.hazelcast.instance.AddressPicker] - > <[LOCAL] [dev] [3.12.3] You configured your member address as host name. > Please be aware of that your dns can be spoofed. Make sure that your dns > configurations are correct.> > 2019-11-07 05:57:51,881 WARN [com.hazelcast.instance.AddressPicker] - > <[LOCAL] [dev] [3.12.3] You configured your member address as host name. > Please be aware of that your dns can be spoofed. Make sure that your dns > configurations are correct.> > WARNING: An illegal reflective access operation has occurred > WARNING: Illegal reflective access by > com.hazelcast.internal.networking.nio.SelectorOptimizer > (file:/opt/tomcat/webapps/cas/WEB-INF/lib/hazelcast-3.12.3.jar) to field > sun.nio.ch.SelectorImpl.selectedKeys > WARNING: Please consider reporting this to the maintainers of > com.hazelcast.internal.networking.nio.SelectorOptimizer > WARNING: Use --illegal-access=warn to enable warnings of further illegal > reflective access operations > WARNING: All illegal access operations will be denied in a future release > > > Second Error Log --- ( after login attemp via LB domain name -- > casnlb.xxx.edu.tr/cas ) > > > https://casnlb.xxxx.edu.tr/cas/login?exception.message=Error+decoding+flow+execution > ( on browser it writes , ) > > > > 2019-11-07 06:02:21,471 ERROR > [org.apereo.cas.web.flow.executor.EncryptedTranscoder] - <Null input buffer> > java.lang.IllegalArgumentException: Null input buffer > at javax.crypto.Cipher.doFinal(Cipher.java:2198) ~[?:?] > at > org.apereo.cas.util.cipher.BaseBinaryCipherExecutor.decode(BaseBinaryCipherExecutor.java:92) > ~[cas-server-core-util-api-6.2.0-SNAPSHOT.jar:6.2.0-SNAPSHOT] > at > org.apereo.cas.util.cipher.BaseBinaryCipherExecutor.decode(BaseBinaryCipherExecutor.java:33) > ~[cas-server-core-util-api-6.2.0-SNAPSHOT.jar:6.2.0-SNAPSHOT] > at > org.apereo.cas.util.crypto.CipherExecutor.decode(CipherExecutor.java:105) > ~[cas-server-core-api-util-6.2.0-SNAPSHOT.jar:6.2.0-SNAPSHOT] > at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native > Method) ~[?:?] > at > jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > ~[?:?] > at > jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > ~[?:?] > at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?] > at > org.springframework.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:279) > ~[spring-core-5.2.1.RELEASE.jar:5.2.1.RELEASE] > at > org.springframework.cloud.context.scope.GenericScope$LockedScopedProxyFactoryBean.invoke(GenericScope.java:499) > ~[spring-cloud-context-2.2.0.RC1.jar:2.2.0.RC1] > at > org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) > ~[spring-aop-5.2.1.RELEASE.jar:5.2.1.RELEASE] > at > org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:212) > ~[spring-aop-5.2.1.RELEASE.jar:5.2.1.RELEASE] > at com.sun.proxy.$Proxy333.decode(Unknown Source) ~[?:?] > at > org.apereo.cas.web.flow.executor.WebflowCipherBean.decrypt(WebflowCipherBean.java:35) > ~[cas-server-core-webflow-api-6.2.0-SNAPSHOT.jar:6.2.0-SNAPSHOT] > at > org.apereo.cas.web.flow.executor.EncryptedTranscoder.decode(EncryptedTranscoder.java:103) > ~[cas-server-core-webflow-api-6.2.0-SNAPSHOT.jar:6.2.0-SNAPSHOT] > at > org.apereo.cas.web.flow.executor.ClientFlowExecutionRepository.getFlowExecution(ClientFlowExecutionRepository.java:75) > ~[cas-server-core-webflow-api-6.2.0-SNAPSHOT.jar:6.2.0-SNAPSHOT] > at > org.springframework.webflow.executor.FlowExecutorImpl.resumeExecution(FlowExecutorImpl.java:167) > ~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE] > at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native > Method) ~[?:?] > at > jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > ~[?:?] > at > jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > ~[?:?] > at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?] > at > org.springframework.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:279) > ~[spring-core-5.2.1.RELEASE.jar:5.2.1.RELEASE] > at > org.springframework.cloud.context.scope.GenericScope$LockedScopedProxyFactoryBean.invoke(GenericScope.java:499) > ~[spring-cloud-context-2.2.0.RC1.jar:2.2.0.RC1] > at > org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) > ~[spring-aop-5.2.1.RELEASE.jar:5.2.1.RELEASE] > at > org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:212) > ~[spring-aop-5.2.1.RELEASE.jar:5.2.1.RELEASE] > at com.sun.proxy.$Proxy371.resumeExecution(Unknown Source) ~[?:?] > at > org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.handle(FlowHandlerAdapter.java:254) > ~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE] > at > org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1040) > ~[spring-webmvc-5.2.1.RELEASE.jar:5.2.1.RELEASE] > at > org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:943) > ~[spring-webmvc-5.2.1.RELEASE.jar:5.2.1.RELEASE] > at > org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1006) > ~[spring-webmvc-5.2.1.RELEASE.jar:5.2.1.RELEASE] > at > org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:909) > ~[spring-webmvc-5.2.1.RELEASE.jar:5.2.1.RELEASE] > > > it forces me login again . > > > Third Error --- ( when we atttemp to import service json or create new one > via cas-management web interface -UI ) > > 2019-11-07 06:38:53,144 ERROR > [org.springframework.boot.web.servlet.support.ErrorPageFilter] - > <Forwarding to error page from request [/api/services/] due to exception > [repository not found: /etc/cas/services-repo/.git]> > org.eclipse.jgit.errors.RepositoryNotFoundException: repository not found: > /etc/cas/services-repo/.git > at > org.eclipse.jgit.storage.file.FileRepositoryBuilder.build(FileRepositoryBuilder.java:90) > ~[org.eclipse.jgit-5.3.1.201904271842-r.jar:5.3.1.201904271842-r] > at > org.apereo.cas.mgmt.GitUtil.initializeGitRepository(GitUtil.java:1264) > ~[cas-mgmt-support-version-control-6.1.0-RC4.jar:6.1.0-RC4] > at org.apereo.cas.mgmt.GitUtil.<init>(GitUtil.java:108) > ~[cas-mgmt-support-version-control-6.1.0-RC4.jar:6.1.0-RC4] > at > org.apereo.cas.mgmt.factory.RepositoryFactory.buildGitUtil(RepositoryFactory.java:82) > ~[cas-mgmt-support-version-control-6.1.0-RC4.jar:6.1.0-RC4] > at > org.apereo.cas.mgmt.factory.RepositoryFactory.masterRepository(RepositoryFactory.java:72) > ~[cas-mgmt-support-version-control-6.1.0-RC4.jar:6.1.0-RC4] > at > org.apereo.cas.mgmt.factory.VersionControlManagerFactory.createNewManager(VersionControlManagerFactory.java:129) > ~[cas-mgmt-support-version-control-6.1.0-RC4.jar:6.1.0-RC4] > at > org.apereo.cas.mgmt.factory.VersionControlManagerFactory.getManagementServicesManager(VersionControlManagerFactory.java:114) > ~[cas-mgmt-support-version-control-6.1.0-RC4.jar:6.1.0-RC4] > at > org.apereo.cas.mgmt.factory.VersionControlManagerFactory.from(VersionControlManagerFactory.java:97) > ~[cas-mgmt-support-version-control-6.1.0-RC4.jar:6.1.0-RC4] > at > org.apereo.cas.mgmt.factory.VersionControlManagerFactory.from(VersionControlManagerFactory.java:40) > ~[cas-mgmt-support-version-control-6.1.0-RC4.jar:6.1.0-RC4] > at > org.apereo.cas.mgmt.controller.ServiceController.saveService(ServiceController.java:107) > ~[cas-mgmt-core-6.1.0-RC4.jar:6.1.0-RC4] > at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native > Method) ~[?:?] > at > jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > ~[?:?] > at > jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > ~[?:?] > at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?] > > > > I really dont know how will i continue? Any suggest or advice for me? > Just i want to build a running HA CAS app . > > Thanks for your all help and guidence. > > > > > > > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to cas-user+unsubscr...@apereo.org. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/a28c3353-ce1f-410f-8f77-ffb90d2a1c67%40apereo.org > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/a28c3353-ce1f-410f-8f77-ffb90d2a1c67%40apereo.org?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAPhmjneuMnKw6bHTqcd-T6_t8y6C64x_x5vABSEFPKLcA%40mail.gmail.com.
